Privacy Preserving CTL Model Checking through ObliviousGraph Algorithms

Samuel Judson

Yale University

samuel.judson@yale.edu

Ning Luo

Yale University

ning.luo@yale.edu

Timos Antonopoulos

Yale University

timos.antonopoulos@yale.edu

Ruzica Piskac

Yale University

ruzica.piskac@yale.edu

ABSTRACT

Model checking is the problem of verifying whether an abstract

modelM of a computational system meets a specification of be-

havior ϕ. We apply the cryptographic theory of secure multiparty

computation (MPC) to model checking. With our construction, ad-

versarial parties D and A holdingM and ϕ respectively may check

satisfaction — notationally, whetherM |= ϕ — while maintaining

privacy of all other meaningful information. Our protocol adopts

oblivious graph algorithms to provide for secure computation of

global explicit state model checking with specifications in Compu-

tation Tree Logic (CTL), and its design ameliorates the asymptotic

overhead required by generic MPC schemes. We therefore intro-

duce the problem of privacy preserving model checking (PPMC) and

provide an initial step towards applicable and efficient construc-

tions.

CCS CONCEPTS

• Security andprivacy→Privacy-preserving protocols; •The-

ory of computation → Cryptographic protocols; Verification by

model checking; Logic and verification;

KEYWORDS

privacy; model checking; cryptography; multiparty computation;

verification; temporal logic

ACM Reference Format:

Samuel Judson, Ning Luo, Timos Antonopoulos, and Ruzica Piskac. 2020.

Privacy Preserving CTL Model Checking through Oblivious Graph Algo-

rithms. In 19th Workshop on Privacy in the Electronic Society (WPES’20),

November 9, 2020, Virtual Event, USA. ACM, New York, NY, USA, 15 pages.

https://doi.org/10.1145/3411497.3420212

1 INTRODUCTION

The techniques and theory of formal methods provide valuable

confidence in the correctness of programs and protocols. However,

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for profit or commercial advantage and that copies bear this notice and the full citation

on the first page. Copyrights for components of this work owned by others than the

author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or

republish, to post on servers or to redistribute to lists, requires prior specific permission

and/or a fee. Request permissions from permissions@acm.org.

WPES’20, November 9, 2020, Virtual Event, USA

© 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM.

ACM ISBN 978-1-4503-8086-7/20/11. . . $15.00

https://doi.org/10.1145/3411497.3420212

these tools are often costly to employ in both computational effort

and human effort. Their use is biased towards applications where

failures bring substantial economic or social cost — and commen-

surate legal risk and attention. The verification of cryptographic

libraries and protocols has become a recent focus of research [7]

as the use of cryptography to secure user data has come under

regulations such as the GDPR [23]. A classic domain for formal

methods is cyberphysical systems in aerospace engineering, trans-

portation, medicine, and industrial control systems [19, 55]. All are

heavily regulated (in the United States) by various federal and state

agencies such as the FAA and FDA. It is no coincidence that often

those settings that have seen the greatest use of formal methods

are those which are most closely governed, and receive the most

intense regulatory and legal scrutiny.

The traditional story of formal verification does not consider

conflicting purposes. Usually an engineer has a program, derives a

mathematical formalism representing its behavior, and automati-

cally checks that behavior meets a given specification of correctness

— all through their own modeling and computational effort [19, 55].

But this may be insufficient when the requirement for that veri-

fication is imposed by an external party, such as a regulator. An

analysis is only as good as the modeling of the computation, the

quality of the tools, and the soundness of the assumptions. Rather

than trust procedure, a regulator may reasonably prefer to execute

the formal verification themselves or through a trusted, technically

adept agent.

Such an effort may clash with concerns of privacy and propri-

ety. A vehicle manufacturer or high-frequency trader might doubt

that a government regulator will respect the privacy of code of

immense economic value, or might doubt that employees of that

regulator will not carry knowledge to their competitors through a

revolving door. A concrete example arises in private governance,

as Apple and Google regulate distribution of apps on their mobile

device platforms, a role which gives them special access to the soft-

ware of the competitors who create third-party alternatives to their

own services. The anti-competitive uses of this power have come

under scrutiny — such as in 2019 when Apple removed parental

control apps they had long allowed just after integrating competing

functionality directly into their operating system [35].

Nonetheless, Apple and Google have compelling economic and

social justifications in requiring app review before allowing distri-

bution. Static analysis tools have been developed to evaluate apps

for malware and privacy invasion through tracking [5, 20, 21, 47].

The use of such tools during review may prevent proliferation

of harmful software for the benefit of both users and platforms.

Further, the example of app store maintainers raises that privacy

concerns regarding verification may go in both directions. A tool

such as PiOS [20] evaluates the potential for data exfiltration by

iOS apps. But what information, and to what extent, is considered

unnecessary or harmful may be nebulous, personal, or dependent

on context. Any line drawn would be arbitrary, and a regulator

may wish to keep their requirements private so as to not present a

simple and static target.

Our work commences a study of the use of applied cryptography

to mitigate this tension between privacy and assurance. To allow

two parties to execute a formal verification — in this case, by way of

model checking —while maintaining privacy over both the program

or protocol being verified and the specification of behavior it is

required to meet.

We consider a setting where an auditor A wishes to verify a

program held by D, the developer. D possesses a model of program

executionM rendered as a graph-theoretic Kripke structure while

A has a specification of program behavior ϕ written in Compu-

tation Tree Logic (CTL) [14, 16, 17]. We construct an interactive

protocol to decide whetherM |= ϕ, i.e., whether the specificationholds over the model. By use of the cryptographic theory of secure

multiparty computation (MPC) [8, 25, 26, 29, 43, 44, 48, 57], our

protocol severely limits the information D and A learn about the

input of the other under standard adversarial assumptions. More-

over, our protocol runs in local and communication complexities

O ( |ϕ | · |M|) and therefore requires no asymptotic overhead. Our

work adopts and combines recent advances in efficient MPC exe-

cution, secret sharing, and data-oblivious algorithms, particularly

over graphs [10].

We note that the utility of our protocol requires that D inputs

anM which accurately and adequately represents the program

execution. Systemic factors must motivate honest inputs by the

parties. In a regulatory setting, this may be because of substantial

punitive powers or legal recourse available toA should they learn of

dishonest behavior, or because they provide the tools necessary for

model extraction. For example, Apple and Google provide tooling

for application development on their platforms. As with all privacy

engineering, our construction requires careful consideration of

how it fits into the broader system to make sure its privacy and

correctness goals are practically met. Even if not fully absolving

the need for trust or binding agreement between developer and

auditor, our protocol recasts harm from the potentially murky and

indeterminate ‘did the auditor gain valuable information fromM?’

to the incontrovertible ‘did the developer misrepresentM?’, which

may make asymmetrical privacy and correctness concerns easier

to negotiate. We discuss relevant related work and potential future

directions in §7.

In summary, this paper contributes (i) recognizing that privacy

concerns may arise in the use of modern program analysis and

verification techniques; (ii) observing that the graph-theoretic na-

ture of model checking renders it amenable to approach through

oblivious graph algorithms; (iii) the full design and implementation

of an MPC protocol for privacy preserving model checking; and

(iv) an experimental evaluation of that construction.

We proceed as follows. In §2 we introduce both model checking

of CTL and our necessary cryptographic primitives. Our contribu-

tions begin in §3, with data-oblivious model checking subroutines

based on prior work for oblivious graph algorithms. We then give

our full model checking construction in §4. We follow with dis-

cussion of our implementation and experimentation in §5, cover

related work in §6, and consider potential future work and conclude

in §7.

2 PRELIMINARIES

The best known temporal modal logics are Linear Temporal Logic

(LTL) operating over program traces, Computation Tree Logic (CTL)

operating over the computation tree of program traces, and their su-

perset CTL∗[14, 16, 17, 50]. Each are propositional logics extended

with temporal operators X (at the next), F (finally, i.e. eventually),

G (globally, i.e. always), and U (until), while CTL and CTL∗add

quantifiers E (exists a branch) and A (for all branches) over the

tree. CTL allows expression of statements such as AG (userdata →AG ¬network ) where userdata and network are atomic predicates

over the program state. Verifying a program meets such a specifi-

cation then assures that whenever it accesses user data it does not

later invoke networking functionality. In this manner, temporal log-

ics allow expressing liveness (something must always happen) and

safety (something must never happen) properties of a computation.

CTL requires temporal operators be directly preceded by a quan-

tifier. This requirement allows it to be model checked in polynomial

time through a relatively straightforward and efficient recursive al-

gorithm, whereas model checking LTL and CTL∗have been shown

to be PSPACE-complete [15, 52]. As such we limit our attention to

CTL, and leave LTL and CTL∗to future work. The interested reader

may find far more comprehensive discussions of these logics, their

similarities and differences, and their checking in [16, 17].

Secure multiparty computation (MPC) is the cryptographic prob-

lem of executing an algorithm where the inputs are held by dif-

ferent parties, such that no participant learns any information

other than what is implied by their own input and the output.

We will restrict our interest to secure two-party computation (2PC),

as it fits our setting and simplifies analysis as parties need not

be concerned with collusion — we will somewhat improperly use

both terms interchangeably within this paper. Generic techniques

for secure computation of circuits — potentially employed with

oblivious RAM — may be used ‘off-the-shelf’ to provide 2PC for

any computable function, but at cost of at least logarithmic over-

head [8, 25, 26, 29, 43, 44, 48, 57]. Instead, we will present a tailored

protocol for our problem with minimal leakage and no additional

asymptotic cost.

We proceed with short introductions on both topics.

2.1 Model Checking

A Kripke structure [16, 17] is a standard formalism used to abstractly

represent the possible executions of a program. It is defined as a

tuple M = (S, I , δ , L) , where S is a set of states with n = |S |,I ⊆ S a set of initial states, δ ⊆ S × S a transition relation — with

(si , sj ) ∈ δ for i, j ∈ [n] denoting that sj is a successor of si — and

L : S → 2qa labeling function mapping states to subsets of the q

available labels. We note that O (n2) = |M|.

s0ℓ1

s1ℓ1

s2ℓ1ℓ2

s3ℓ2ℓ3

ℓ1

ℓ1ℓ2

ℓ2ℓ3

ℓ2ℓ3

.

.

.

ℓ1

ℓ1

.

.

.

ℓ1ℓ2

ℓ2ℓ3

ℓ2ℓ3

.

.

.

Figure 1: A Kripke structure (left) modeling the program given in Exam-

ple 2.1, and its corresponding computation tree (right). The vertices and edges

in the computation tree show a failed checking for A ℓ1 U ℓ3, which holds at

s2 and s3 (dashed blue) but not s0 or s1 (dotted orange).

Example 2.1. Consider a toy authentication program implement-

ing session management. When an unknown user arrives they are

prompted for credentials, and reprompted if those credentials are

invalid. Once valid credentials are provided, a session is then en-

abled. Abstracting away implementation details we can model the

execution of the program through the following three predicates:

NoSession denoted by ℓ1, ValidCredentials denoted by ℓ2, and Ses-sionEstablished denoted by ℓ3. A corresponding Kripke structure

is given in Figure 1.

If we want to establish that (i) SessionEstablished occurs; and

(ii) until then along all preceding paths NoSession holds, we can

express this property with the CTL formula A ℓ1 U ℓ3. Our example

structure does not meet this specification as the user need not

ever successfully authenticate, in which case a session is never

established.

As is common we treat the number of labels q as a constant, due to

it being a systemic parameter rather than an instance-specific input.

We assume that δ is left-total, so that every state has at least one

successor (possibly itself). We let ℓk for k ∈ [q] denote an arbitrary

label, and define the Boolean function ℓk (s ) to indicate whether

label ℓk is assigned to state s .

Each ℓk label corresponds to some predicate, and ℓk (s ) indicateswhether that predicate is true at s . In Example 2.1, the labels capture

the knowledge the system has of user session status at each state

in its execution. For instance, at s2 it is true that the user has pro-vided valid credentials, but it is false that they have had a session

established. We presume a givenM is a sound representation of

a computation, but beyond that how it is derived from a specific

program or protocol is beyond our concern.

The essential structure ofM is the directed graph induced by

δ where each s ∈ S is treated as a vertex. Originating from an

initial (source) state, the set of infinite walks on this graph may

be viewed as a computation tree of infinite depth. Every initial

state in I produces a different tree. Each infinite walk (or trace)

through a tree corresponds to an infinite walk through the directed

graph representation ofM. These traces must capture all possible

behaviors of the program represented byM with respect to the

label predicates. We concern ourselves with discrete timing, so that

the ith layer of the computation tree corresponds to time t = iindexed from zero (so that the root occurs at t = 0).

CTL, introduced in [14], is a suitable modal logic for expressing

properties regarding the labeling of states in the computation tree,

and so implicitly for expressing properties of the computation the

tree represents. With it, we may write specifications for how the

program must behave. The full grammar of CTL is given by

ϕ := f alse | true | ℓk | ϕ ∧ ϕ | ϕ ∨ ϕ | ¬ϕ | ϕ → ϕ | ϕ ↔ ϕ |

EX ϕ |AX ϕ |EF ϕ |AF ϕ |EG ϕ |AG ϕ |E ϕ U ϕ |A ϕ U ϕ .

The standard propositional operators are as expected, the (infor-

mal) meanings of the various temporal operators were given in the

preceding paragraphs, and an atom ℓk is an atomic predicate repre-

sented by that label. Note as well that throughout the discussion

we will use |ϕ | =m to denote the operator length of ϕ — we do not

count the atomic predicates.

We say that ‘M satisfies ϕ’, denoted M |= ϕ, if and only if

ϕ holds at the root of all computation trees, i.e. at t = 0 for all

traces. A model checking algorithm is a decision procedure such

that checkCTL (M, ϕ) = 1 if and only if M |= ϕ. Our example

formula ϕ = AG (userdata → AG ¬network ) may be read as ‘for

all traces starting at t = 0, if a state labeled userdata is reached

then the trace must never again reach a state labeled network’. We

overload the notation s |= ϕ to denote that ϕ holds at a specific state

s . ThatM |= ϕ then becomes expressible as ‘for all i ∈ I , si |= ϕ’.Multiple minimal grammars — from which the remaining operators

may be constructed — are known, of which we will consider model

checking over the restriction

ϕ := true | ℓk | ϕ ∧ ϕ | ¬ϕ | EX ϕ | E ϕ U ϕ |A ϕ U ϕ

due to the simplicity of the resultant algorithm. We may refer to the

full grammarwhen convenient, and also note that in our algorithmic

discussion we will freely use substitutions f alse = 0 and true = 1.

For brevity we will not provide the full semantics of CTL, nor

will we provide for the model checking algorithm a proof of its sub-

stantiation of those neglected semantics. We consider an informal

understanding of the computation tree and temporal operators to

be more than satisfactory to understand the nature of our privacy

preserving construction, and refer the interested reader to [16, 17]

for a far more comprehensive discussion of these concerns.

Model Checking CTL. We give a global explicit model checking

algorithm for our chosen minimal CTL grammar as Algorithm 1,

up to the ‘quantified until’ operators of EU and AU which are

given in Algorithm 2 and Algorithm 4 respectively. That every

temporal operator in CTL is quantified has the crucial quality that

all CTL formulae are state formulae — their truth at a given state is

independent of when in a trace the state is reached, as opposed to a

path formulawhich is trace-dependent. This allows model checking

in timeO (mn2) for |M| = O (n2) and |ϕ | =m as we may recursively

walk through the formula tree and use the per-state truth values

for each subformula as the inputs to its parent, with each operator

checkable in time O (n2). We once again refer the reader to [16, 17]

for discussion of state and path formulae.

The checking subroutines for ¬ϕ andψ ∧ ϕ are both immediate:

s |= ¬ϕ iff ¬(s |= ϕ) and s |= ψ ∧ ϕ iff (s |= ψ ) ∧ (s |= ϕ). So we

just take the output of the recursive calls and apply the relevant

1: function checkCTL

(M, ϕ):2: oϕ ← rec(M, ϕ )3: sat ← 1

4: for all i ∈ [n] do5: sat ← sat ∧ (oϕ [i] ∨ ¬M .S[i].inI )6: return sat7:

8: function checkAND(M, lψ , rϕ ):

9: for all i ∈ [M .n] do10: o[i]← lψ [i] ∧ rϕ [i]11: return o12:

13: function checkNOT(M, rϕ ):

14: for all i ∈ [M .n] do15: o[i]← ¬rϕ [i]16: return o17:

18: function checkEX(M, rϕ ):

19: for all i ∈ [M .n] do20: for all j ∈ [M .n] do21: o[i]← o[i] ∨ (M .δ [i][j] ∧ rϕ [j])22: return o23:

24: function rec(M, ϕ):25: (op, ψ , ϕ ) ← parse(ϕ )26:

27: if op = ∧ then

28: return checkAND(M, rec(M, ψ ), rec(M, ϕ ))29: else if op = ¬ then

30: return checkNOT(M, rec(M, ϕ ))31: else if op = EX then

32: return checkEX(M, rec(M, ϕ ))33: else if op = EU then

34: return checkEU(M, rec(M, ψ ), rec(M, ϕ ))35: else if op = AU then

36: return checkAU(M, rec(M, ψ ), rec(M, ϕ ))37: else ▷ op is an atom ℓk .38: k ← label(op )39: for all i ∈ [M .n] do40: o[i]← M .ℓk (M .S[i])41: return o

Algorithm 1: The checkCTL algorithm up to the quantified until operator

subroutines and various helper functions.

Boolean operator. Moreover, s |= EX ϕ iff there exists an s ′ suchthat (s, s ′) ∈ δ and s ′ |= ϕ. So we may iterate over all state pairs

to see if such a successor exists, using the output of the recursive

call. That these algorithms areO (n),O (n), andO (n2) respectively isstraightforward. Notably, for allϕ ′ ∈ {ψ∧ϕ, ¬ϕ, EXϕ} the relevantsubroutine can determine whether si |= ϕ

′without consideration

of sj |= ϕ′for any j , i . Each state may be processed in isolation, a

trait which will shortly be of great convenience.

Such is not true for E ψ U ϕ and A ψ U ϕ. For any state s forwhich s |= ψ yet s ̸ |= ϕ, the truth of the formula is dependent

on the existence of a path or paths through similar states to an

s ′ for which s ′ |= ϕ. As such, we may not just look directly to

the output of the recursive calls to determine satisfaction — rather

we’ll have to build any such paths, which we may do efficiently by

working backwards. The essential insight is that the algorithm is

analogous to a breadth-first search — although we don’t need to be

concerned with the depth of the vertex, and we do need to handle

labels. Instead of emanating out from the source to the periphery,

we start at the periphery of states where s |= ϕ, and walk back

towards the source.

To do so, in Algorithm 2 and Algorithm 4 we initialize a set of

‘ready’ states R to those states for which ϕ holds, and then pull

an ‘active’ state s in each loop iteration. We will use the language

‘made ready’ for a state being added to R, and ‘made active’ for a

state being chosen as s . We then walk over the predecessors of s ,and (for EU) add the predecessor if ψ holds at it or (for AU) add

the predecessor if all the successors of it have been active, tracked

using a decremented counter. The formula then holds at any state

which is ever added to R, and we use another set K to track ‘known’

states so that we do not add a state to R multiple times. Since a state

may be active exactly once and when it is we review all n possible

predecessors, both these algorithms are O (n2).The model checking of CTL and its optimizations are discussed

at far greater length in [16, 17], and we refer to them the interested

reader who finds our discussion overly terse. We conclude with the

following theorem, and refer to [15] for a proof.

Theorem 2.1. For any Kripke structureM = (S, I , δ , L) and CTLformula ϕ

(1) checkCTL (M, ϕ) = 1 if and only ifM |= ϕ; and(2) checkCTL (M, ϕ) runs in time O (mn2) where |M| = O (n2)

and |ϕ | =m.

2.2 Privacy Preserving Computation

Secure multiparty computation (MPC) provides for the joint com-

putation of a function f (x1, . . . , xu ) = y when f is public and

each xi is the private input of mutually distrustful parties. We re-

quire that the computation of y be correct, but at the conclusion a

party i should know nothing more about x1, . . . xi−1, xi+1, . . . , xuthan what is implied by xi and y. In our setting, we will concern

ourselves solely with secure two-party computation (2PC).

Our construction will provide privacy in the semihonest model1

— we assume that our parties follow the protocol as prescribed

honestly, but still attempt to learn about the input of the other party

to the extent possible. This is in contrast tomalicious security, where

the parties may violate the protocol to try and learn information.

Proving privacy in the semihonest model falls under the simulation

paradigm. Suppose we wish to design a protocol Π to compute

f (x0, x1) = y where x0 is the input of A and x1 is the input of B.

Let λ ∈ N be a security parameter. Define viewA (Π, x0, B (1λ , x1))

to be the view ofAwhen interactively computing f withB: an objectcontaining x0, every random coin flip A samples, every message Areceives from B, every intermediary value A computes, and y. Theview captures all information known to A at the conclusion of the

joint computation of f .We prove privacy by showing that we can replace B with a

probabilistic polynomial-time (PPT) simulator SimB (1λ , x0, y) such

that A cannot distinguish between an interaction with B and SimB .

Note that SimB takes only public information and the informa-

tion of A — by definition A cannot learn anything from interact-

ing with it. Formally, we model A as a PPT adversary A who

must attempt to distinguish between viewA (Π, x0, B (1λ , x1)) and

viewA (Π, x0, SimB (1λ , x0, y)) by outputting a bit b ∈ {0, 1} identi-

fying which counterparty they are interacting with. We will define

secure computation of a function f : X0 × X1 → Y by a protocol

Π on behalf ofB if for all PPT adversariesA and allx0 ∈ X0 andx1 ∈X1, viewA (Π, x0, B (1

λ , x1)) and viewA (Π, x0, SimB (1λ , x0, y)) are

1Also known as the honest-but-curious model.

computationally indistinguishable, or

|Pr[A (1λ , viewA (Π, x0, SimB (1λ , x0, y))) = 1]

− Pr[A (1λ , viewA (Π, x0, B (1λ , x1))) = 1]| ≤ negl(λ)

where negl(λ) is a function eventually bounded above by the in-

verse of every polynomial function of λ.We notate computational indistinguishability of views by

viewA (Π, x0, B (1λ , x1)) ≈ viewA (Π, x0, SimB (1

λ , x0, y)).

We call the left hand the real world and the right hand the ideal

world, as privacy follows by definition within the latter. Since SimBis constructed based only on the knowledge of A and the output of

the computation, were information leaked by B in the real world

then A would be able to use that information to distinguish be-

tween the interactions. We may prove privacy for the inputs of A

identically, by constructing a SimA (1λ , x1, y) such that the view of

B in the resultant ideal world is also indistinguishable from the real

world. We refer the interested reader to [24, 43, 44] for more for-

mal treatments and further discussion of the theory of multiparty

computation.

Multiparty Computation Primitives. Generic techniques are known

which provide for secure computation of all computable functions

with logarithmic asymptotic overhead and computational (or bet-

ter) security [8, 25, 26, 29, 43, 44, 48, 57]. Of these primitives, our

work will make use of garbled circuits with oblivious transfer in the

semihonest model due to Yao [43, 57]. However, we will not simply

be rendering the decision procedure checkCTL (M, ϕ) as a circuit.Rather, we will employ constant-sized binary circuits for certain

intermediary computations, and then use data-oblivious computa-

tion [26] and compositionality [12] to combine these intermediary

results to execute the full checking.

For concision we will not delve into the details of garbled cir-

cuits or their underlying cryptographic components. Rather, for

the remainder of the discussion we will assume access to a protocol

(y ∥ y) ← GC(c; x0 ∥ x1), such that if c is a circuit description of a

function f , then GC securely and correctly computesy = f (x0, x1).Here, our notation Π(x0 ∥ x1) indicates that protocol Π is interac-

tively executed between two parties with inputs x0 and x1 respec-tively, while (y ∥ y) indicates which parties receive the output. It

is possible to execute a garbled circuit computation so that either

party — or both — receive it. We will make use of this flexibil-

ity throughout our construction. We also note that GC(c; · ∥ ·)maintains the asymptotic complexity of c.

Data-Oblivious Computation. Our treatment of data-oblivious

computation follows that of Goldreich and Ostrovsky in [26] in the

random access machine (RAM) model of computation. We define a

RAM as composed of two components, RAM = (CPU , MEM ), ableto communicate with each other. This object may be formalized as

a pair of Turing machines with access to shared tapes facilitating

the passing of messages. TheCPU machine contains some constant

number of registers each of size k bits, into which information may

be written, operated upon, and read for copying. TheMEM machine

contains 2kwords, each of constant sizew , and each addressed by

a bitstring of length k . The CPU sends messages to MEM of the

form (i, a, v ) where i ∈ {0, 1}2 represents one of write, read, or

halt, a ∈ [2k ] is an address, and v ∈ [2w ] a value. Upon receipt of

a (write, a, v ) commandMEM copies v into the word addressed

by a, upon a (read, a, ·) command returns the current value in the

word addressed by a, and upon (halt, ·, ·) outputs some delineated

segment of memory, such as the segment of lowest addressed words

until that containing a special value is reached.

A RAM is initialized with input (s, y), where s is a special startvalue for the CPU , and y an initial input configuration to MEMwhich writes both program commands and data values into various

addresses ofMEM . We denote byMEM (y) the memory when ini-

tialized with y, and CPU (s ) analogously. The RAM then executes

by reading commands and data to registers of the CPU , comput-

ing on them while there, and writing back toMEM , before finally

issuing a halt command. We denote the output of this compu-

tation by RAM (s, y), and can define a corresponding access pat-

tern. The access pattern of a RAM on input (s, y) is a sequence

AP (s, y) = ⟨a1, . . . , ai , . . .⟩ such that for every i , the ith mes-

sage sent byCPU (s ) when interacting withMEM (y) is of the form(·, ai , ·).

To formulate a definition of a data-oblivious program, we first

split the input y into two substrings, a program P and data x , sothat y = ⟨P , x⟩. Then, we say a program P is data-oblivious with

respect to an input class X , if for any two strings x1, x2 ∈ X , should

|AP (⟨P , x1⟩) | and |AP (⟨P , x2⟩) | be identically distributed, then soare AP (⟨P , x1⟩) and AP (⟨P , x2⟩). Intuitively, an observer learns

nothing more than the length of the inputs from the access patterns

of a data-oblivious program.

We restrict our inputs to a class X as a form of ‘promise’ that

the inputs are interpretable as the objects of the correct structure,

which we may reasonably assume in the semihonest model. Our

analysis of data-oblivious computation will be natural for inputs of

the same structural length — pairsM, M ′ such thatM .n =M ′.n,and pairs ϕ, ϕ ′ such that ϕ .m = ϕ ′.m. So we will further assume a

standardized input format so that |⟨M, ϕ⟩| = |⟨M ′, ϕ⟩| for all ϕ,and |⟨M, ϕ⟩| = |⟨M, ϕ ′⟩| for allM.

Given a data-oblivious computation — either (i) a data-oblivious

algorithm, or (ii) any program which has been made oblivious

by an application of Oblivious RAM (ORAM) — an MPC protocol

follows [29]. As the control flow of the program is fixed and known

publicly, both parties may follow it in lockstep. All intermediary

computation over variables is done using a suitable protocol for

secure computation of binary or arithmetic circuits [8, 25, 43, 44, 57].

The one final component is a scheme for secret sharing, which

allows intermediary values for each variable to remain private

during the execution of the program. In our protocol we will also

take advantage of a particular secret sharing scheme which allows

some additional flexibility to the computation — A will be able to

vary their inputs to certain intermediary computations based on ϕ,at some additional concrete cost.

Secret Sharing. A secret sharing scheme allows a value x to be

stored communally by two parties. The collaboration of both are re-

quired to reconstruct x . We will employ two secret sharing schemes.

The first,ΠotpS = (Shareotp , Reconstructotp ), operates as follows.

To share a value x ∈ Z2, denoted [x], Shareotp (x ) uniformly sam-

ples a$

←− Z2 and computes b ← x − a (equiv. x ⊕ a). One party

holds a as a share, the other party b. Reconstructotp (a, b) com-

putes x ← a +b (equiv. a ⊕ b). We may secret share arbitrarily long

bitstrings by sharing each bit separately with ΠotpS using indepen-

dent randomness. Although for brevity we omit the formal security

definition of secret sharing, it is straightforward to see that given

just one of a or b, the value of x is uniformly distributed and so the

scheme hides it with information-theoretic security.

The scheme Πpr fS = (Genpr f , Sharepr f , Reconstructpr f ) re-

quires the existence of a pseudorandom function (PRF). This is a

keyed function PRF : {0, 1}λ × {0, 1}y → {0, 1}z for λ, y, z ∈ Nfor which the distribution of PRF(sk, x ) is computationally indis-

tinguishable from uniformly random for an adversary which does

not know sk . We let Genpr f (1λ ) be the key generation algorithm

for the PRF which is run at setup. To share a value x ∈ {0, 1}z ,

denoted [[x]], Sharepr fsk (x ) uniformly samples r

$

←− {0, 1}y and

computes c ← PRF(sk, r ) ⊕x . One share is then sk , and the other is

⟨c, r ⟩. To reconstruct the value, Reconstructpr fsk (⟨c, r ⟩) computes

x ← PRF(sk, r ) ⊕ c .The sharing and reconstruction algorithms given are identical

to a standard construction for producing a semantically secure sym-

metric key scheme for multiple encryptions out of a PRF [37]. By

using an encryption scheme for secret sharing, we have the bene-

fit that we can have multiple shared values [[xi ]], with one party

having the same share — sk — for all of them. This allows the other

party to vary which ⟨c, r ⟩i they input into a given intermediary

computation [49]. The cost for this flexibility is that Πpr fS is far

more computationally expensive than ΠotpS , particularly as we will

need to execute these secret sharing schemes — and so our PRF —

within garbled circuits. We use AES-128 for Πpr fS as it is commonly

modeled as a PRF, which in our implementation requires 5440 en-

crypted gates within a garbled circuit to share or reconstruct, while

ΠotpS requires no such gates due to Free-XOR techniques [41, 58].

If ambiguous, we will notate that the key share for a Πpr fS

share is sk by [[x]]sk . We will abuse notation by, given a vector

x̂ = ⟨x1, . . . , xv ⟩, using [x̂] to represent ⟨[x1], . . . , [xu ]⟩ and sim-

ilarly for [[x̂]] and ⟨[[x1]], . . . , [[xv ]]⟩. We will also write [z] ←f ([x], [y]) as shorthand for

(· ∥ b3) ← GC(f′;a1, a2, a3 ∥ b1, b2)

where a1 + b1 = x , a2 + b2 = y, a3 + b3 = z, and f′ = (Shareotp ◦f ◦ Reconstructotp ). It will be particularly common for us to

write [z]← [x] ∧ [y] or similar for various binary operations. To

take advantage of the opportunity for increased efficiency where

our protocol adapts truly data-oblivious processing, we will pre-

fer to use ΠotpS over Π

pr fS whenever possible. So, we define two

algorithms, [x]← simplify([[x]]) and [[x]]← complicate([x])which simply compose reconstruction from one secret sharing

scheme and sharing from the other as necessary.2We let [x] ←

2For simplify from a Π

pr fS share to a Π

otpS share, the reconstructed output is treated

as a bitvector and each bit reshared using ΠotpS separately. The parties can then retain

the necessary number of bits for the type, e.g., just the most significant bit if the object

is an indicator. In the other direction ΠotpS shares can be padded out with 0s to length

z for complicate into a Πpr fS share.

Simplify(sk, [[x]]) stand in for

(a ∥ b) ← GC(simplify; sk ∥ ⟨c, r ⟩)

and analogously for [[x]]← Complicate(sk, [x]). Finally, we let(x ∥ x ) ← Reveal([x]) refer to a subprotocol which just interac-

tively executes share reconstruction.

3 OBLIVIOUS MODEL CHECKING

Our goal is to construct a secure computation protocol for comput-

ing the predicateM |= ϕ when D holdsM and A holds ϕ. We now

show that — should D and A be willing to treat n andm as public

inputs — the various operator subroutines of checkCTL are either

data-oblivious or may be rewritten to be so. This allows us direct

adaption of these subroutines into (a part of) an MPC protocol

using the preferred ΠotpS secret sharing scheme.

As shown in Algorithm 2 and Algorithm 4, the checkEU and

checkAU subroutines branch in a manner dependent on the truth

values of both their subformulae and on δ . Branching on the former

may leak information regarding ϕ toD, the latter information about

M to A. Moreover, both algorithms draw an ‘active’ state s froma set R in each outer loop iteration, and may add another state

s ′ to R for later drawing only if (s ′, s ) ∈ δ . The resultant order inwhich states are accessed reveals information about δ . Our modified

algorithms obscure these data access patterns through padding of

branches and randomization.

We must also provide data-oblivious variants for the other op-

erators, but this will require no effort. All of checkAND, checkNOT,and checkEX as given in Algorithm 1 are data-oblivious.

3

As noted in §2, there is a conceptual parallel between the checkEUand checkAU subroutines and breadth-first search. As such, our

oblivious variants are derived from the oblivious BFS algorithm

due to Blanton et. al. [10]. However, that work only considers a

single source and does not support any label structure, so it does

not directly fit our setting. For clarity, we will describe the simpler

obcheckEU algorithm in full, and briefly discuss the straightforward

addition required for obcheckAU at the end. We refer the reader

to Algorithm 3 to follow the discussion as it formally presents the

oblivious algorithm.

3.1 The Until Operators

The high-level description of obcheckEU is as follows. As within

checkEU, we progress through a loop where each iteration we draw

a yet unvisited state. In the original algorithm, we only ever draw

states si for which si |= Eψ U ϕ. In the oblivious variant we draw

all states, but give priority to those for which the subformulae holds.

Only after these have been exhausted do we pad out the loop with

the remainder. Then, for each drawn state we walk over all states sj ,and update a status bitvector with whether sj |= ψ and (sj , si ) ∈ δ ,in which case sj |= E ψ U ϕ. In addition to this padding, where

we differ most substantially from the non-oblivious algorithm is

that the order of the states, and the mechanism by which we draw

them, are both uniformly distributed. This prevents the operations

3We take as assumptions that reading, writing, and incrementing/decrementing ele-

ments of N, array lookups, and evaluation of any specific arithmetic or propositional

formula all take a constant number of instructions — assumptions valid under careful

cryptographic engineering.

1: function checkEU(M, lψ , rϕ ):

2: o ← rϕ3: R ← {i | rϕ [i] = 1}

4: K ← ∅5: while R , ∅ do

6: i ← draw(R )7: for all j ∈ {j′ | (sj′, si ) ∈ δ } do

8: if lψ [j] ∧ j < K then

9: o[j]← 1

10: R ← R ∪ {j }11: K ← K ∪ {j }12: R ← R \ {i }13: return o

Algorithm 2: The checkEU algorithm.

1: function obcheckEU(n, Mπ1, lψπ

1, rϕπ

1, idxsπ

2):

2: R̂ ← rϕπ1;ˆψ ← lψπ

1; K̂ ← 0

n

3: for all t ∈ [n] do4: i, i′ ← ⊥; m, m′ ← 0

5: for all c ∈ [n] do6: b1 ← R̂[c] ∧ ¬K̂ [c]; b2 ← (idxsπ

2[c] > m)

7: i ← cb1b2 + i (1 − b1b2 )8: m ← idxsπ

2[c] · b1b2 +m (1 − b1b2 )

9: for all c′ ∈ [n] do10: b′

1← ¬R̂[c′] ∧ ¬K̂ [c′]; b′

2← (idxsπ

2[c′] > m′)

11: i′ ← c′b′1b′2+ i′ (1 − b′

1b′2)

12: m′ ← idxsπ2[c′] · b′

1b′2+m′ (1 − b′

1b′2)

13: b3 ← (i = ⊥)14: i∗ ← i′b3 + i · (1 − b3 )15: for all j ∈ [n] do16: R̂[j]← R̂[j] ∨ (R̂[i∗] ∧ Mπ

1.δ [j][i∗] ∧ ˆψ [j])

17: K̂ [i∗]← 1

18: return R̂

Algorithm 3: The oblivious obcheckEU algorithm.

which are dependent on the chosen state index from leaking any

information.

Our initial change for obcheckEU regards the inputs. We require

that rϕ , lψ , and the rows and columns ofM .δ be permuted by π−11

,

the inverse of a uniformly sampled π1$

←− Sn where Sn is the set of

permutations of length n. Under this permutation, rϕπ1 [i] indicates

whether sπ1 (i ) |= ϕ, lψπ1 [i] indicates sπ1 (i ) |= ψ , andMπ1 .δ[i][j]

indicates (sπ1 (i ) , sπ1 (j ) ) ∈ δ . We also require an additional auxil-

iary input [idxsπ2 ], which is the permuted vector π2 ([n]) for some

π2$

←− Sn sampled independently of π1. Looking ahead, this vector

will be used to select from a set of elements with uniformly dis-

tributed priority. The obcheckEU algorithm begins by initializing

two bitvectors R̂ andˆϕ using these inputs, and setting an empty

bitvector K̂ .For the inner loop iteration at Lines 5-8 of Algorithm 3, if R̂[c]∧

¬K̂[c] then sπ1 (c ) |= Eψ U ϕ and, as per §2, sπ1 (c ) has been ‘made

ready’ but has not yet been ‘made active’. To match Line 6 of Al-

gorithm 2, we want to pick just such a state to process in each

loop iteration by setting i = c . Moreover, to avoid overhead we will

want our access pattern to be able to depend on i so that we only

need to process its column ofMπ1 .δ (at Lines 15-16). Though the

application of π1 makes each c independent of the original stateidentifier, a deterministic rule for choosing i might leak information.

For example, if we were to take the maximal c then an adversary

would know that

∑nk=0 R̂[k] ≤ c .

To make the choice of i random, we effectively map each candi-

date c to idxsπ2 [c], and set to i whichever has the maximal mapping.

Usingm as a temporary variable storing the largest idxsπ2 [c] yetseen for a candidate c , at the conclusion of the loop:

i = argmax

c ∈[n]{ idxsπ2 [c] | R̂[c] ∧ ¬K̂[c] }.

As π2 is uniformly random and independent of π1, i is uniformly

distributed across [n]. In effect, π2 makes i a uniform choice of a

ready state from R̂, which ready states are themselves randomly

distributed within [n] by π1. Altogether it is functionally equivalentto Line 6 in Algorithm 2, but leaks no information aboutM.

For the inner loop at Lines 9-12 we do similarly, but this time

pick an i ′ such that sπ1 (i′) ̸ |= Eψ U ϕ and which has not yet been

processed. When i = ⊥ (because every c for which R̂[c] = 1 has

already been processed) we set i∗ = i ′ instead, which pads out

the outer loop by uniform selection over all yet unvisited nodes.

Whether i∗ = i or i∗ = i ′, we then iterate down the i∗th column of

Mπ1 .δ = π−11

(δ ), and for all j ∈ [n] set

R̂[j] = R̂[j] ∨ (R̂[i∗] ∧Mπ1 .δ [j][i∗] ∧ ˆψ [j]).

When R̂[i∗] = 1 this update follows the same logic as in the original

algorithm. For any padding iterations as R̂[i∗] = 0 the right hand

clause of this predicate will never hold and R̂ will not change. We

note that as a minor optimization, any value c which has previously

been selected as i∗ may be ignored during all three inner loops — it

will never be chosen again as i or i ′, and either R̂[c] = 1 or R̂[i∗] = 0

for the current iteration.

At the conclusion of these inner loops we set K̂[i∗] = 1 and

return to the outer loop, selecting a new active state. The algorithm

requires exactly n iterations of the outer loop — after a state is

selected it becomes ‘known’ as indicated by K̂ , and we never revisita known state. Each iteration makes a constant number of passes

over the n states, giving complexityO (n2). At conclusion the vector

R̂ contains the truth values for Eψ U ϕ in permuted form, and the

caller may apply π1 to return the nodes to their original indices.

For the AU operator we introduce an additional integer array of

length n, each entry of which is initialized to the out-degree of the

corresponding state. The permutation π−1 is applied to this array

as well, and in the inner loop we first decrement the jth element of

this permuted array when the relevant predicate holds, and only

update R̂ if that entry has reached zero.

Let obcheckCTL (M, ϕ) be checkCTL (M, ϕ)where checkEU andcheckAU are replaced with their oblivious variants. The following

theorem is shown in Appendix A.

Theorem 3.1. The checkAND, checkNOT, checkEX,obcheckEU, and obcheckAU algorithms are data-oblivious.

The full oblivious checking algorithm carries over the same

correctness and complexity as the original algorithm – as also

shown in the appendix.

1: function checkAU(M, lψ , rϕ ):

2: o ← rϕ3: R ← {i | rϕ [i] = 1}

4: K ← ∅5: d ← degrees(M)6: while R , ∅ do

7: i ← draw(R )8: for all j ∈ {j′ | (sj′, si ) ∈ δ } do

9: if lψ [j] ∧ j < K then

10: d[j]← d[j] − 111: if d[j] = 0 then

12: o[j]← 1

13: R ← R ∪ {j }14: K ← K ∪ {j }15: R ← R \ {i }16: return o

Algorithm 4: The checkAU algorithm.

1: function obcheckAU(n, Mπ1, lψπ

1, rϕπ

1, idxsπ

2):

2: R̂ ← rϕπ1;ˆψ ← lψπ

1; K̂ ← 0

n

3: for all t ∈ [n] do4: i, i′ ← ⊥; m, m′ ← 0

5: for all c ∈ [n] do6: b1 ← R̂[c] ∧ ¬K̂ [c]; b2 ← (idxsπ

2[c] > m)

7: i ← cb1b2 + i (1 − b1b2 )8: m ← idxsπ

2[c] · b1b2 +m (1 − b1b2 )

9: for all c′ ∈ [n] do10: b′

1← ¬R̂[c′] ∧ ¬K̂ [c′]; b′

2← (idxsπ

2[c′] > m′)

11: i′ ← c′b′1b′2+ i′ (1 − b′

1b′2)

12: m′ ← idxsπ2[c′] · b′

1b′2+m′ (1 − b′

1b′2)

13: b3 ← (i = ⊥)14: i∗ ← i′b3 + i · (1 − b3 )15: for all j ∈ [n] do16: b4 ← R̂[i∗] ∧ Mπ

1.δπ [j][i∗]

17: Mπ1.d[j]← Mπ

1.d[j] − b4

18: R̂[j]← R̂[j] ∨ ( ˆψ [j] ∧ Mπ1.d[j] = 0)

19: K̂ [i∗]← 1

20: return R̂

Algorithm 5: The oblivious obcheckAU algorithm.

Theorem 3.2. For any Kripke structureM = (S, I , δ , L) and CTLformula ϕ

(1) obcheckCTL (M, ϕ) = 1 if and only ifM |= ϕ; and(2) obcheckCTL (M, ϕ) runs in timeO (mn2) where |M| = O (n2)

and |ϕ | =m.

Although asymptotically Theorem 3.2 is equivalent to Theorem 2.1

our oblivious checking algorithm incurs substantial concrete costs.

We require a scalar multiple of n2 steps always. In many model

checking problems, the semantics of the computational system

guarantee thatM will be sparse so checking is often closer to lin-

ear despite the quadratic worst-case. This gap is particularly acute

given the ‘state explosion phenomenon’, whereby n is frequently

exponential in the natural representation of the program as soft-

ware code, a hardware design, or a protocol specification. We note

however that our approach is compatible with many widely used

optimizations to mitigate the state explosion phenomenon, such as

partial order reduction and bitstate hashing [16, 17].

A potential direction for limiting this concrete overheadwould be

to employ oblivious data structures instead of requiring extraneous

computation. This would however cost logarithmic overhead both

asymptotically and concretely [40, 54]. An ideal solution would

be to design an oblivious algorithm for local or symbolic model

checking without requiring extraneous computation dependent on

n. We leave further exploration to future work.

4 AN MPC PROTOCOL FOR CTL MODEL

CHECKING

With these oblivious subroutines we are now able to construct our

privacy preserving checking protocol

(· ∥ b) ← PPMCCTL (M ∥ ϕ)

such that b correctly indicates whetherM |= ϕ. Given our setting

we dictate that the auditor receives the output, though the protocol

may be trivially extended to provide b to D by having A send it

publicly should they wish to. The high level design is shown as

Protocol 1.

There arem+ 2 separate ‘segments’ of the protocol. In the initial

segmentD andA each generate PRF keys, whileD locally constructs

Πpr fS shares of the transition matrix [[δ]], degree vector [[deд]],

and vector representations of the labelings [[ˆℓk ]] for all k ∈ [q],

i.e.,ˆℓk [i] = ℓk (si ). D then sends the ciphertext components of

those shares to A while keeping skD private. Note that we abuse

notation here by using [[x]] to indicate just the vectors of ⟨c, r ⟩pairs. Additionally, D discloses n and A disclosesm.

1: protocol Init(M ∥ ϕ):2: D, A : skD ← Genpr f (1λ ), skA ← Genpr f (1λ )3: for all i ∈ [n] do4: D : [[deд[i]]]← Share

pr fskD

(M .S[i].deд)

5: D : [[idxs[i]]]← Sharepr fskD

(i )

6: for all j ∈ [n] do7: D : [[δ [i][j]]]← Share

pr fskD

(M .δ [i][j])

8: for all k ∈ [q] do

9: D : [[ˆℓk [i]]]← Share

pr fskD

(M .ℓk (si ))

10: D : send ⟨n⟩11: D : send ciphertexts of ⟨[[δ ]], [[ ˆℓ1]], . . . , [[ ˆℓq ]], [[deд]], [[idxs]]⟩12: A : send ⟨m⟩

Each of the followingm segments will check a single operator

appearing in ϕ. Before commencing the checking protocol, A must

produce some linear ordering ϕ of the parse tree of ϕ. For any pair

of subformulae ϕa , ϕb ∈ ϕ, if ϕa depends on ϕb then we require

b < a. A suitable ordering may be found by reversing a topological

sort. In the jth segment for j ∈ [m], subprotocols for each of the

five possible operators are executed. We note that this allows a

degree of parallelism into our checking protocol, as each operator

may be checked concurrently.Awill keep the output for whichever

operator actually appears at ϕ j .

The ‘and’, ‘not’, andEX subprotocols take a straightforward form.

A selects the appropriate [[lψ ]] and [[rϕ ]] share vectors. If the true

operator is unary, they pick [[lψ ]] arbitrarily for the subroutines

with binary input. It is this selection by A where our use of Πpr fS is

essential. Since D has the same share (skD ) for all vectors, A may

DInput:M

AInput: ϕ

For: op

Keep: [[o (h )op ]]

Repeat for: h ∈ [m]

[[o (h )∧ ]]

[[o (h )¬ ]]

[[o (h )EX

]]

[[o (h )EU

]]

[[o (h )AU

]]

(n, [[δ ]], [[ ˆℓ1]], . . . , [[ ˆℓk ]], [[deд]], [[idxs]])

(m)

And(skD ∥ [[lψ ]], [[rϕ ]])

Not(skD ∥ [[rϕ ]])

EX(skD , δ ∥ [[rϕ ]])

EU(skD ∥ skA, [[δ ]], [[lψ ]], [[rϕ ]])

AU(skD ∥ skA, [[δ ]], [[lψ ]], [[rϕ ]], [[deд]])

b

Output: b

SAT(skD , I ∥ [[o (m )]])

Protocol 1: PPMC(M ∥ ϕ )

choose in a manner dependent on ϕ as necessary. After this selection,

the chosen Πpr fS shares are simplified to Π

otpS shares. Then, the

oblivious checking subroutine is executed using garbled circuits for

all intermediary computations. For EX this includes D providing

some transition matrix information as a private input. Finally, the

output ΠotpS shares are raised back into Π

pr fS shares.

1: protocol And(skD ∥ [[lψ ]], [[rϕ ]]):2: for all i ∈ [n] do3: [lψ [i]]← Simplify(skD , [[lψ [i]]])4: [rϕ [i]]← Simplify(skD , [[rψ [i]]])5: [o[i]]← [lψ [i]] ∧ [rϕ [i]]6: [[o[i]]]← Complicate(skD , [o[i]])7:

8: protocol Not(skD ∥ [[rϕ ]]):9: for all i ∈ [n] do10: [rϕ [i]]← Simplify(skD , [[rϕ [i]]])11: [o[i]]← ¬[rψ [i]]12: [[o[i]]]← Complicate(skD , [o[i]])13:

14: protocol EX(skD , δ ∥ [[rϕ ]]):15: for all i ∈ [n] do16: [rϕ [i]]← Simplify(skD , [[rϕ [i]]])17: [o[i]]← 0

18: for all j ∈ [n] do19: [o[i]]← [o[i]] ∨ ([rϕ [j]] ∧ δ [i][j])20: [[o[i]]]← Complicate(skD , [o[i]])

Note that any ΠotpS shared constant may be set, such as for o[i]← 0,

by having both parties set their share in a manner dictated by the

protocol — e.g., at Line 17 both parties just set their share to 0. At

Line 19, δ [i][j] is a private input of D into the garbled circuit.

For EU and AU we want to use a similar approach of adapting

our oblivious algorithms. However, we have a difficulty in that

those algorithms require uniformly permuted inputs. We cannot

simply have A choose and execute a permutation over their shares,

as they will then be able to follow the access patterns — in the most

trivial case, A may just choose π1 to be the identity permutation.

For similar reasons, the choice of permutation cannot be entrusted

simply to D. Rather, we need both D and A to permute the vectors

so that each may be assured no information leaks to the other.

As permutations compose, we can accomplish this by having Dand A each choose and apply a random permutation, while using

encryption to keepD from learning the shares ofA, and either partyfrom learning the permutation of the other.

Joint Permutations. Our subprotocol for jointly computing per-

mutations proceeds as follows. At commencement,D holds skD and

some permutation πD .A holds skA, a vector of ciphertexts [[x̂]]skD ,and a pair of permutations πA and πA′ . Our protocol will outputπA′πDπA ([[x̂]]). Conventionally, either πA or πA′ will be the iden-tity permutation 1. This allows us to employ the same protocol to

compute both π−1π ′−11([[x̂]]) and its inverse 1π ′π ([[x̂]]).The protocol is relatively straightforward in formulation. A first

applies πA to [[x̂]]skD . The parties then execute a sequence of gar-

bled circuit executions to transfer these ciphertexts fromD toA. Thetransfer subroutine uses the key of D to decrypt and then the key of

A to re-encrypt. At the conclusion,D possesses πA ([[x̂]]skA ) whichwe notate by [[x̂πA ]]skA .D then applies πD to derive [[x̂πAπD ]]skA ,and the parties then repeat the transfer in the opposite direction.

Finally, A applies πA′ to arrive at [[x̂πAπDπA′ ]]skD as required.

If (as in our construction) there is a use of the subprotocol where

πA′ = 1 and the reshares will immediately be simplified, an alter-

native final transfer procedure may be used where the resharing is

directly into ΠotpS , to remove a few unnecessary (and expensive)

Sharepr f and Reconstructpr f operations. For brevity, we give the

permutation subprotocols over vectors. They may be adopted to

permuting the rows and columns of a matrix, and we will overload

our notation by invoking them on [[δ ]].

1: function transfer(skt , skf , [[x ]]):

2: x ← Reconstructpr fskt

([[x ]]) ▷ skt is key of ‘to’ party

3: [[x ′]]← Sharepr fskf

(x ) ▷ skf is key of ‘from’ party

4: return [[x ′]]5:

6: protocol Perm(skD , πD ∥ skA, πA, πA′, [[x̂ ]]skD ):

7: A : [[x̂πA ]]skD ← πA ([[x̂ ]]skD )

8: for all i ∈ [n] do9: ([[x̂πA [i]]]skA ) ← GC(transfer; skD ∥ skA, [[x̂πA [i]]]skD )

10: D : [[x̂πAπD ]]skA ← πD ([[x̂πA ]]skA )

11: for all i ∈ [n] do12: ([[x̂πAπD [i]]]skD ) ← GC(transfer; skD , [[x̂πAπD [i]]]skA ∥ skA )

13: A : [[x̂πAπD πA′ ]]skD ← πA′ ([[x̂πAπD ]]skD )

14:

15: protocol AltPerm(skD , πD ∥ skA, πA, [[x̂ ]]skD ):

16: ...same as Lines 7-10...

17: for all i ∈ [n] do18: ([x̂πAπD [i]]) ← Simplify(skA, [[x̂πAπD [i]]]skA )

For AltPerm, which bits of the output must be retained is depen-

dent on the object being permuted. Label vectors, intermediary

outputs, and the transition matrix each have indicator entries, and

so only a single bit need be kept. For the degree vector, however

many bits are necessary to store the integer (e.g., likely 32 or 64)

must be retained.

Intuitively, the permutation protocol is privacy preserving as

the shares are pseudorandom due to Πpr fS being an encryption

scheme. Given the inability of either D or A to distinguish the

encryption of one plaintext from another, they are unable to learn

anything about the permutation that has been placed on those

plaintexts. This privacy conveys to the nested shares as well. With

these permutation subprotocols, the subprotocols for EU and AU

follow from our discussion in §3.

1: protocol EU(skD ∥ skA, [[δ ]], [[lψ ]], [[rϕ ]]):

2: D, A : π1D , π

2D$

←− Sn, π1A, π2A$

←− Sn3: [idxsπ

2]← AltPerm(skD , π−1

2D ∥ skA, π−12A, [[idxs]])

4: [lψπ1]← AltPerm(skD , π−1

1D ∥ skA, π−11A, [[l

ψ]])

5: [rϕπ1]← AltPerm(skD , π−1

1D ∥ skA, π−11A, [[r

ϕ]])

6: [δπ1]← AltPerm(skD , π−1

1D ∥ skA, π−11A, [[δ ]])

7: ...same as Algorithm 3 with ΠotpS shares and revealed i∗ ...

8: [[R̂]]← Complicate(skD , [R̂])9: [[o]]← Perm(skD , π

1D ∥ skA, 1, π1A, [[R̂]])10:

11: protocol AU(skD ∥ skA, [[δ ]], [[lψ ]], [[rϕ ]], [[deд]]):12: ...same as Lines 2-6...

13: [deд]← AltPerm(skD , π−11D ∥ skA, π

−11A, [[deд]])

14: ...same as Algorithm 5 with ΠotpS shares and revealed i∗ ...

15: ...same as Lines 8-9...

The final segment of the protocol is to determine whether all ini-

tial states satisfy the specification. This may be done with a straight-

forward adaption of the same functionality from obcheckCTL.

1: function SAT(skD , M ∥ [[oϕ ]]):2: [sat ]← 1

3: for all i ∈ [n] do4: [o[i]]← Simplify(skD , [[oϕ [i]]])5: [sat ]← [sat ] ∧ ([oϕ [i]] ∨ ¬M .S[i].inI )6: ( · ∥ b ) ← Reveal([sat ])

At Line 5,M .S[i].inI is a private input of D. The output of Line 6completes the model checking protocol.

4.1 Correctness, Complexity, and Security

Our result with respect to correctness and complexity is an analogue

of Theorem 3.2.

Theorem 4.1. For any Kripke structureM = (S, I , δ , L) and CTLformula ϕ, let (· ∥ b) ← PPMC(skD , M ∥ skA, ϕ). Then,

(1) b = 1 if and only ifM |= ϕ; and(2) PPMC(M ∥ ϕ) runs in local and communication complexities

O (mn2) where |M| = O (n2) and |ϕ | =m.

Proof. Each of the component algorithms of ΠotpS , Π

pr fS , and

the GC subprotocol run in constant-time with respect to n and

m and so require no asymptotic overhead. The first segment of

our protocol costs local and communication complexities O (n2).For the remainingm + 1 segments our protocol faithfully adapts

obcheckCTL. So by Theorem 3.2, the protocol is correct and runs

in local and communication complexities O (mn2). □

Our second result establishes the privacy preserving nature of the

protocol.

Theorem 4.2. For any Kripke structureM = (S, I , δ , L) and CTLformula ϕ, let bit b indicate whetherM |= ϕ. Then,

(1) there exists a PPT simulator SimD (1λ , ϕ, b) such that

viewA (PPMC, ϕ, D (1λ , M)) ≈

viewA (PPMC, ϕ, SimD (1λ , ϕ, n, b)); and

(2) there exists a PPT simulator SimA (1λ , M, ·) such that

viewD (PPMC, M, A(1λ , ϕ)) ≈

viewD (PPMC, M, SimA (1λ , M, m, ·)).

Note that although in our protocol n and m are private inputs

which the parties agree to leak, here we treat them as public inputs

available to the simulators. This may be formalized through leakage

oracles, but we use this informal approach for simplicity.

We require a few preliminaries towards this proof. First, that

for the protocol GC(c; · ∥ ·) for arbitrary c there exist simula-

tors for both participants [43]. Since we are agnostic to the roles

in the GC protocol, we just refer to the appropriate simulator as

GCSim(1λ , f , y). The second result is that given a PRF, an encryp-

tion scheme Πenc = (Gen, Enc, Dec) for which Gen = Genpr f ,Enc = Sharepr f , and Dec = Reconstructpr f provides indistin-

guishability for multiple encryptions under chosen ciphertext attack,

or IND-CPA security [37]. Finally, we need the experiment used to

formalize this security notion. The specific experiment we use is

often referred to as the left-right oracle formulation.

Definition 4.3. LetΠ = (Gen, Enc, Dec) be an encryption scheme

and λ ∈ N a security parameter.We define the experiment Ind-CPAA, Π

between adversary A and a challenger C by

(1) C runs sk ← Gen(1λ ) and samples b$

←− {0, 1}. C then invokes

A (1λ ) and exposes an encryption oracle to it.

(2) A sends a pair (m0, m1) to C through the oracle, and receives

Enc(sk, mb ) in response.

(3) A repeats (2) up to n times, for n = poly (λ).(4) A outputs b ′ ∈ {0, 1}. The output of Ind-CPAA, Π is then the

truth of the predicate b?

= b ′.

Then Π provides indistinguishability for multiple encryptions under

chosen ciphertext attack if for all PPT A,

Pr[Ind-CPAA, Π (λ) = 1] ≤1

2

+ negl(λ).

We now have the necessary machinery to prove Theorem 4.2. For

brevity we mostly sketch part (1) of the argument. The argument

for (2) follows along similar lines.

Proof Sketch. Let τ = O (mn2) be the number of circuits com-

puted over the course of the protocol. We let fh be the function,

xDh , xAh ∈ {0, 1}∗the inputs, and yDh , yAh ∈ {0, 1}

∗the outputs

of the hth such circuit for h ∈ [τ ].SimD (1λ , ϕ, n, b) first constructs a random Kripke structureM ′.

To accomplish this, the simulator uniformly samples bits b1, . . . ,

bn2+(q+1)n$

←− {0, 1} and uses them to populate M ′.S[i].inI for

i ∈ [n],M ′.ℓk for k ∈ [q], andM ′.δ . It then sets the values of

M ′.S[i].deд as appropriate. The simulator then executes Init as

specified overM ′.

In each of the followingm + 1 segments of the protocol SimDexecutes all local computations as prescribed. For the hth garbled

circuit the simulator locally computes f (xDh , xAh ) = (yDh , yAh ).

It then invokes GCSim(1λ , f , yAh ) and so embeds the correct out-

put to be received by A, which will be either a Πpr fS or a Π

otpS

share. When the time comes to reveal an i∗ value, as D knows both

the value and the input share of A they may design their share to

produce the correct reveal.

The only complications are for Perm and AltPerm, as SimDcannot inspect the encrypted [[x̂πA ]]skA vectors and recover πA as

it does not know skA. For AltPerm, givenM′and ϕ, D knows the

underlying plaintexts x̂ = x1, . . . , xn . So it may uniformly sample

a permutation π ′D , and for i ∈ [n] embed [x̂π ′D[i]] as the output of

the ith execution of Simplify. As there is a unique πD such that

πAπD = π′D these embeddings correctly simulate the protocol.

For Perm, SimD again knows the underlying plaintexts. However,

without knowledge of π ′A the simulator cannot embed the outputs

of GCSim(transfer; · ∥ ·) so that [[x̂πAπDπA′ ]]skD will return to

the original order. So, instead it embeds them in arbitrary order.

If [[x̂πAπDπA′ ]]skD will be the input to a later protocol segment,

which SimD knows as it has ϕ, then the simulator just embeds the

outputs to any Simplify invocation as though they were correctly

ordered.

Finally, as SimD is able to locally compute the share of [sat] heldby A it may correctly embed b into the final reveal by negating

its share if necessary. As SimD evaluates each computation in the

protocol at most twice, it runs in PPT O (mn2) as required.We next construct a sequence of hybrid distributions, start-

ing from H0 = viewA (PPMC, ϕ, SimD (1λ , ϕ, n, b)) and ending

atHτ+1 = viewA (PPMC, ϕ, D (1λ , M)). The first hybridH1 cap-

tures an interaction with identical functionality to SimD , except

using M instead of sampling M ′. We show that H0 ≈ H1 by

reduction to the assumption that we have a secure PRF, through

the functional equivalence between Πpr fS and a IND-CPA secure

encryption scheme. Let A be an adversary with non-negligible

advantage in distinguishing H0 and H1 for someM∗. We show

this implies an adversary A ′ with non-negligible advantage in the

IND-CPA security experiment, violating our assumption.

We let A ′ be parameterized byM∗ (and n), and it is given 1λ

on start by C. It begins by sampling an M ′ as per H0. It then

executes the remaining functionality of bothH0 andH1 (which are

consistent with each other). But, for all encryptions that it would

usually carry out locally with skD it instead uses its oracle access

from C, sending asm0 the plaintext forH0 (fromM′) and asm1

the plaintext forH1 (fromM∗). It then embeds these encryptions

into the garbled circuit simulator outputs as appropriate.

Let b∗ be the coin flipped by C. If b∗ = 0, then A ′ perfectly

instantiatesH0 as it

i. executes a fixed order of garbled circuit simulators;

ii. uniformly generates all ΠotpS shares as required;

iii. generates all Πpr fS shares appropriately under the challenge sk

using the oracle access from C; and

iv. reveals each sequence of i∗ values in a uniformly distributed

order which is consistent with any possible (but unknown to

it) choice of π1A.

If b∗ = 1, A ′ perfectly instantiates H1 by an identical argument.

So, upon receipt of the distinguishing bit b ′′ from A, A ′ sets its

own output bit b ′ = b ′′. It therefore retains the non-negligible

advantage of A, and so has a non-negligible advantage in the IND-

CPA experiment. We conclude thatA ′ may not exist as it derives a

contradiction, and so neither may A.

Returning to our sequence of hybrid distributions, for all h ∈[τ ], hybridHh+1 converts the hth intermediary computation from

using the garbled circuit simulator to using the real garbled circuit

functionality. Then,Hh+1 ≈ Hh+2 follows by the compositionality

of secure computation protocols, as proven in detail in [12]. As no

distinguisher exists for any two adjacent hybrids in our sequence,

we may conclude that

viewA (PPMC, ϕ, SimD (1λ , ϕ, n, b)) = H0 ≈

Hτ+1 = viewA (PPMC, ϕ, D (1λ , M))

by the triangle inequality. □

5 IMPLEMENTATION

We implemented our protocol using the semihonest 2PC functional-

ity within the EMP-Toolkit [53]. For AES, we used the key-expanded

Bristol Format circuit,4which requires 5440 AND gates per execu-

tion — none of the approx. 22500 combined XOR and INV gates

require encrypted gates, due to Free-XOR techniques [41, 58].

In the following table we report both the time elapsed and num-

ber of in-circuit AES executions to check random models of size

n andm respectively, with q = 4. Given that our construction is

completely agnostic to the structure of eitherM or ϕ, these experi-ments are demonstrative for natural problems of similar dimension.

Our evaluations were made on a commodity laptop with a Intel

i5-3320M CPU running at 2.60GHz and 8GB of RAM, and no paral-

lelism was employed. Since the cost is dominated by EU and AU,

we predict a parallel implementation will cut running times roughly

in half.

n,m 1 2 4 7

4

4.802s

252x AES

9.198s

500x AES

19.333s

996x AES

32.030s

1740x AES

8

15.705s

696x AES

29.629s

1384x AES

59.407s

2760x AES

107.745s

4824x AES

16

55.482s

2160x AES

107.760s

4304x AES

210.392s

8592x AES

374.140s

15024x AES

32

204.769s

7392x AES

401.424s

14752x AES

794.022s

29472x AES

1411.514s

51552x AES

64

751.318s

27072x AES

1519.174s

54080x AES

3027.711s

108096x AES

5311.291s

189120x AES

We observe a consistent cost of ≈ 20-30ms per AES execution,rising as it incorporates (amortized) both local computations and

circuits over ΠotpS . Latency is minimal, due to both processes run-

ning on the same physical hardware. As expected the number of

AES executions grows linearly inm. For each increment of n we

observe the number of executions growing quadratically due to

the domination of the n2 term for EU and AU. All of these ob-

servations are consistent with the relatively static nature of our

algorithm — the number of circuits executed is a relatively simple

and deterministic function of n andm.

Recent work on developing more efficient PRFs for use within

MPC has produced primitives with an order of magnitude better

performance than AES [1–3, 30]. In addition, some of these prim-

itives are naturally computed in arithmetic circuits, which may

4https://homes.esat.kuleuven.be/~nsmart/MPC/old-circuits.html

provide a more efficient setting for some of the other intermediary

computations we require. However, the growth rates borne out

by our experimentation lead us to conclude that although these

primitives may noticeably reduce concrete cost, practical PPMC on

non-trivial problems will likely require further algorithmic develop-

ments. The orders of magnitude of n for which our current protocol

projects as viable may suffice for some small protocol and hardware

designs, but not likely any software verification task of meaningful

complexity. We hope to develop significantly more efficient con-

structions, especially by adopting the local or symbolic techniques

necessary for combating the state explosion phenomenon.

6 RELATEDWORK

Recent years have seen a proliferation of work applying MPC to

real-world problems, with [4] an excellent overview. This work has

been enabled by developments in the efficiency of primitives [6, 34,

39, 41, 58], by the creation of usable compilers and software libraries

— see [31] for a comprehensive SoK — and by increased research

interest in the definition of tailored protocols. Our work fits into this

narrative that MPC is practical and valuable to privacy-conscious

settings [49]. At the specific intersection of privacy preserving

computation and program analysis and verification, recent work

has employed zero-knowledge proofs to prove the presence of

software bugs [9, 32].

In addition to generic MPC tools and techniques, our protocol

is particularly dependent on both the in-circuit PRF and oblivious

graph algorithms. Constructing PRFs specifically for multiparty

computation is an active area of research, providing promising

schemes which may dramatically reduce the concrete overhead of

our protocol [1–3, 30]. Data-oblivious graph algorithms have also

received attention both generically and within a variety of problem

domains [10, 11, 22, 27, 28, 56]. Also relevant is work on generic

oblivious data structures [40, 54]. Although these usually come

with asymptotic overhead, they allow for straightforward adoption

of many graph algorithms into 2PC.

Finally, we note that while our work applies cryptography to

formal methods, the opposite direction — applying formal meth-

ods to cryptography — has also seen substantial recent develop-

ment. Computer-aided cryptography attempts to provide formal

proofs of cryptographic security — see [7] for a comprehensive

SoK. Work from the programming languages community has de-

veloped languages and compilers tailored to oblivious computation

and MPC [18, 45, 46, 51]. Of particular note is [33], where a model

checker is used in the compilation of C programs for MPC execu-

tion.

7 CONCLUSION

We have presented an oblivious algorithm for global explicit state

model checking of CTL formulae, and shown how it may be ex-

tended with the use of cryptographic primitives into an MPC pro-

tocol secure against semihonest adversaries. The result requires

no asymptotic local overhead and communication complexity con-

sistent with the local complexity, while the concrete cost and fea-

sibility remain a focus of future effort. Although our work is so

limited, we have shown the potential application of privacy pre-

serving techniques to modern techniques for program analysis and

verification.

7.1 Future Work

We consider there to be substantial opportunity for further work

on privacy preserving formal methods — and privacy preserving

model checking in particular — in the following directions:

– Our proof of security is in the semihonestmodel only. Though

generic techniques allow us to execute our garbled circuits

with security against malicious adversaries [42], verifiable

secret sharing (VSS) is also required for composition [13].

Elevating PRF-based secret sharing scheme to VSS may be

necessary work if the complexity and structure of formal

methods frequently requires partially data-dependent pro-

cessing. The use of a PRF for a message authentication code

(MAC) to accompany the encryption scheme may be a start-

ing point, but further investigation is needed.

– As noted in our introduction, a substantial limitation of our

construction is the inability to guarantee thatM accurately

and adequately represents the program execution. There

has been active work — perhaps most prominently [9] —

in providing for zero-knowledge proofs (ZKP) of program

executions. A potential direction would be to integrate these

schemes with our privacy preserving construction, so that Agains assurance the model they checked does represent a pro-

gram with certain functionality, while otherwise maintain-

ing the privacy of it and the specification. Such approaches

would need to be mediated through techniques for input

validity for MPC [36, 38].

– Our protocol only applies for specifications written in CTL.

Whether similar protocols may be developed for LTL, CTL∗,

and (temporal) epistemic logics is an open question. Addi-

tionally, our scheme suffers from being global and for requir-

ing the worst-case always. Protocols adapting local explicit

state or symbolic checking algorithms would dramatically

increase the practicality of PPMC.

– Finally, development of a privacy preserving model checking

tool for use with real software would confirm the utility of

our construction.

ACKNOWLEDGMENTS

The authors thank Mariana Raykova, Mark Santolucito, and the

anonymous reviewers for their helpful comments, and Michael

Chen for his assistance in the implementation. This work was

supported in part by the Office of Naval Research through Grant

No. N00014-17-1-2787 and a National Defense Science and Engineer-

ing Graduate (NDSEG) Fellowship, by the National Science Foun-

dation through Grants No. CNS-1562888, CNS-1565208, and CCF-

1553168, and by DARPA through Grant No. W911NF-16-1-0389.

REFERENCES

[1] Martin R. Albrecht, Lorenzo Grassi, Léo Perrin, Sebastian Ramacher, Christian

Rechberger, Dragos Rotaru, Arnab Roy, and Markus Schofnegger. 2019. Feistel

Structures for MPC, and more. In European Symposium on Research in Computer

Security. Springer, 151–171.

[2] Martin R. Albrecht, Christian Rechberger, Thomas Schneider, Tyge Tiessen, and

Michael Zohner. 2015. Ciphers for MPC and FHE. In Annual International Con-

ference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT

’15). Springer, 430–454.

[3] Abdelrahaman Aly, Tomer Ashur, Eli Ben-Sasson, Siemen Dhooghe, and Alan

Szepieniec. 2019. Design of Symmetric-Key Primitives for Advanced Cryptographic

Protocols. Technical Report. Cryptology ePrint Archive, Report 2019/426.

[4] David W. Archer, Dan Bogdanov, Yehuda Lindell, Liina Kamm, Kurt Nielsen,

Jakob Illeborg Pagter, Nigel P. Smart, and Rebecca N. Wright. 2018. From Keys

to Databases — Real-World Applications of Secure Multi-Party Computation.

Comput. J. 61, 12 (2018), 1749–1771.

[5] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel,

Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flow-

droid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint

Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference

on Programming Language Design and Implementation (PLDI ’14). 259–269.

[6] Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner. 2013.

More Efficient Oblivious Transfer and Extensions for Faster Secure Computation.

In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communica-

tions Security (CCS ’13). 535–548.

[7] Manuel Barbosa, Gilles Barthe, Karthikeyan Bhargavan, Bruno Blanchet, Cas

Cremers, Kevin Liao, and Bryan Parno. 2019. SoK: Computer-Aided Cryptography.

IACR Cryptol. ePrint Arch. 2019 (2019), 1393.

[8] Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. 1988. Completeness

Theorems for non-Cryptographic Fault-Tolerant Distributed Computation. In

Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing

(STOC ’88). 1–10.

[9] Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars

Virza. 2013. SNARKs for C: Verifying Program Executions Succinctly and in

Zero Knowledge. In Annual International Cryptology Conference (CRYPTO ’13).

Springer, 90–108.

[10] Marina Blanton, Aaron Steele, and Mehrdad Alisagari. 2013. Data-Oblivious

Graph Algorithms for Secure Computation and Outsourcing. In Proceedings of

the 8th ACM SIGSAC Symposium on Information, Computer and Communications

Security (ASIA CCS ’13). 207–218.

[11] Justin Brickell and Vitaly Shmatikov. 2005. Privacy-Preserving Graph Algo-

rithms in the Semi-Honest Model. In International Conference on the Theory and

Application of Cryptology and Information Security (ASIACRYPT ’05). Springer,

236–252.

[12] Ran Canetti. 2000. Security and Composition of Multiparty Cryptographic Proto-

cols. Journal of Cryptology 13, 1 (2000), 143–202.

[13] Benny Chor, Shafi Goldwasser, Silvio Micali, and Baruch Awerbuch. 1985. Veri-

fiable Secret Sharing and Achieving Simultaneity in the Presence of Faults. In

26th Annual Symposium on Foundations of Computer Science (FOCS ’85). IEEE,

383–395.

[14] Edmund M. Clarke and E. Allen Emerson. 1981. Design and Synthesis of Syn-

chronization Skeletons Using Branching Time Temporal Logic. InWorkshop on

Logic of Programs. Springer, 52–71.

[15] Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla. 1986. Automatic Veri-

fication of Finite-State Concurrent Systems Using Temporal Logic Specifications.

ACM Transactions on Programming Languages and Systems (TOPLAS) 8, 2 (1986),

244–263.

[16] Edmund M. Clarke, Thomas A. Henzinger, Helmut Veith, and Roderick Bloem.

2018. Handbook of Model Checking. Vol. 10. Springer.

[17] Edmund M. Clarke Jr., Orna Grumberg, Daniel Kroening, Doron Peled, and

Helmut Veith. 2018. Model Checking. MIT Press.

[18] David Darais, Chang Liu, Ian Sweet, and Michael Hicks. 2017. A Language for

Probabilistically Oblivious Computation. arXiv preprint arXiv:1711.09305 (2017).

[19] Edmund M. Clark, Jeannette M. Wing, et. al. 1996. Formal Methods: State of the

Art and Future Directions. ACM Computing Surveys (CSUR) 28, 4 (1996), 626–643.

[20] Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS:

Detecting Privacy Leaks in iOS Applications. In Network and Distributed Systems

Symposium (NDSS ’11). 177–183.

[21] William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon

Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth.

2014. TaintDroid: An Information-Flow Tracking System for Realtime Privacy

Monitoring on Smartphones. ACM Transactions on Computer Systems (TOCS) 32,

2 (2014), 1–29.

[22] David Eppstein, Michael T. Goodrich, and Roberto Tamassia. 2010. Privacy-

Preserving Data-Oblivious Geometric Algorithms for Geographic Data. In Pro-

ceedings of the 18th SIGSPATIAL International Conference on Advances in Geo-

graphic Information Systems. 13–22.

[23] European Parliament and Council. 2016. Regulation (EU) 2016/679 of the Eu-

ropean Parliament and of the Council of 27 April 2016 on the Protection of

Natural Persons with Regard to the Processing of Personal Data and on the Free

Movement of Such Data, and Repealing Directive 95/46 (General Data Protection

Regulation). Official Journal of the European Union (OJ) (2016).

[24] Oded Goldreich. 2009. Foundations of Cryptography: Volume 2, Basic Applications.

Cambridge University Press.

[25] Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to Play Any Mental

Game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of

Computing (STOC ’87). ACM, 218–229.

[26] Oded Goldreich and Rafail Ostrovsky. 1996. Software Protection and Simulation

on Oblivious RAMs. Journal of the ACM (JACM) 43, 3 (1996), 431–473.

[27] Michael T. Goodrich, Olga Ohrimenko, and Roberto Tamassia. 2012. Data-

Oblivious Graph Drawing Model and Algorithms. arXiv preprint arXiv:1209.0756

(2012).

[28] Michael T. Goodrich and Joseph A. Simons. 2014. Data-Oblivious Graph Algo-

rithms in Outsourced External Memory. In International Conference on Combina-

torial Optimization and Applications. Springer, 241–257.

[29] S. Dov Gordon, Jonathan Katz, Vladimir Kolesnikov, Fernando Krell, Tal Malkin,

Mariana Raykova, and Yevgeniy Vahlis. 2012. Secure Two-Party Computation

in Sublinear (Amortized) Time. In Proceedings of the 2012 ACM Conference on

Computer and Communications Security (CCS ’12). ACM, 513–524.

[30] Lorenzo Grassi, Christian Rechberger, Dragos Rotaru, Peter Scholl, and Nigel P.

Smart. 2016. MPC-Friendly Symmetric Key Primitives. In Proceedings of the 2016

ACM SIGSAC Conference on Computer and Communications Security. 430–443.

[31] Marcella Hastings, Brett Hemenway, Daniel Noble, and Steve Zdancewic. 2019.

SoK: General-Purpose Compilers for Secure Multi-Party Computation. In 2019

IEEE Symposium on Security and Privacy (S&P ’19).

[32] David Heath and Vladimir Kolesnikov. 2020. Stacked Garbling for Disjunctive

Zero-Knowledge Proofs. Cryptology ePrint Archive, Report 2020/136. https:

//eprint.iacr.org/2020/136.

[33] Andreas Holzer, Martin Franz, Stefan Katzenbeisser, and Helmut Veith. 2012.

Secure Two-Party Computations in ANSI C. In Proceedings of the 2012 ACM

Conference on Computer and Communications Security (CCS ’12). 772–783.

[34] Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. 2003. Extending Oblivious

Transfers Efficiently. In Annual International Cryptology Conference (CRYPTO

’03). Springer, 145–161.

[35] Jack Nicas. April 27th, 2019. Apple Cracks Down on Apps That Fight iPhone

Addiction. The New York Times (April 27th, 2019). Accessed November

11th, 2019 at https://www.nytimes.com/2019/04/27/technology/apple-screen-

time-trackers.html.

[36] Marek Jawurek, Florian Kerschbaum, and Claudio Orlandi. 2013. Zero-Knowledge

using Garbled Circuits: How to Prove Non-Algebraic Statements Efficiently. In

Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications

Security (CCS ’13). 955–966.

[37] Jonathan Katz and Yehuda Lindell. 2014. Introduction to Modern Cryptography.

Chapman and Hall/CRC.

[38] Jonathan Katz, Alex J. Malozemoff, and Xiao Wang. 2016. Efficiently Enforcing

Input Validity in Secure Two-Party Computation. IACR Cryptol. ePrint Arch. 2016

(2016), 184.

[39] Marcel Keller, Emmanuela Orsini, and Peter Scholl. 2015. Actively Secure OT

Extension with Optimal Overhead. In Annual International Cryptology Conference

(CRYPTO ’15). Springer, 724–741.

[40] Marcel Keller and Peter Scholl. 2014. Efficient, Oblivious Data Structures for

MPC. In International Conference on the Theory and Application of Cryptology and

Information Security (ASIACRYPT ’14). Springer, 506–525.

[41] Vladimir Kolesnikov and Thomas Schneider. 2008. Improved Garbled Circuit:

Free XOR Gates and Applications. In International Colloquium on Automata,

Languages, and Programming. Springer, 486–498.

[42] Yehuda Lindell and Benny Pinkas. 2007. An Efficient Protocol for Secure Two-

Party Computation in the Presence of Malicious Adversaries. In Annual Inter-

national Conference on the Theory and Applications of Cryptographic Techniques

(EUROCRYPT ’07). Springer, 52–78.

[43] Yehuda Lindell and Benny Pinkas. 2009. A Proof of Security of Yao’s Protocol for

Two-Party Computation. Journal of Cryptology 22, 2 (2009), 161–188.

[44] Yehuda Lindell and Benny Pinkas. 2012. Secure Two-Party Computation via

Cut-and-Choose Oblivious Transfer. Journal of Cryptology 25, 4 (2012), 680–722.

[45] Chang Liu, Michael Hicks, and Elaine Shi. 2013. Memory Trace Oblivious Program

Execution. In 2013 IEEE 26th Computer Security Foundations Symposium (CSF ’13).

IEEE, 51–65.

[46] Chang Liu, Xiao Shaun Wang, Kartik Nayak, Yan Huang, and Elaine Shi. 2015.

Oblivm: A Programming Framework for Secure Computation. In 2015 IEEE Sym-

posium on Security and Privacy (S&P’15). IEEE, 359–376.

[47] Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. 2012. Chex:

Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In

Proceedings of the 2012 ACMConference on Computer and Communications Security

(CCS ’12). 229–240.

[48] Silvio Micali and Phillip Rogaway. 1991. Secure Computation. In Proceedings

of the 11th Annual International Cryptology Conference (CRYPTO ’91). Springer,

392–404.

[49] Pinkas, Benny and Schneider, Thomas and Smart, Nigel P. and Williams, Stephen

C. 2009. Secure Two-Party Computation is Practical. In International Conference

on the Theory and Application of Cryptology and Information Security (ASIACRYPT

’09). Springer, 250–267.

[50] Amir Pnueli. 1977. The Temporal Logic of Programs. In 18th Annual Symposium

on Foundations of Computer Science (FOCS ’77). IEEE, 46–57.

[51] Aseem Rastogi, Matthew A. Hammer, and Michael Hicks. 2014. Wysteria: A

Programming Language for Generic, Mixed-mode Multiparty Computations. In

2014 IEEE Symposium on Security and Privacy (S&P ’14). IEEE, 655–670.

[52] A. Prasad Sistla and Edmund M. Clarke. 1985. The Complexity of Propositional

Linear Temporal Logics. Journal of the ACM (JACM) 32, 3 (1985), 733–749.

[53] Xiao Wang, Samuel Ranellucci, and Jonathan Katz. 2017. Global-Scale Secure

Multiparty Computation. In Proceedings of the 2017 ACM SIGSAC Conference on

Computer and Communications Security (CCS ’17). 39–56.

[54] Xiao Shaun Wang, Kartik Nayak, Chang Liu, TH Hubert Chan, Elaine Shi, Emil

Stefanov, and Yan Huang. 2014. Oblivious Data Structures. In Proceedings of the

2014 ACM SIGSAC Conference on Computer and Communications Security (CCS

’14). 215–226.

[55] Jim Woodcock, Peter Gorm Larsen, Juan Bicarregui, and John Fitzgerald. 2009.

Formal methods: Practice and Experience. ACM Computing Surveys (CSUR) 41, 4

(2009), 1–36.

[56] David J. Wu, Joe Zimmerman, Jérémy Planul, and John C. Mitchell. 2016. Privacy-

Preserving Shortest Path Computation. In 23rd Annual Network and Distributed

System Security Symposium (NDSS ’16).

[57] Andrew Chi-Chih Yao. 1986. How to Generate and Exchange Secrets. In 27th

Annual Symposium on Foundations of Computer Science (FOCS ’86). IEEE, 162–167.

[58] Samee Zahur, Mike Rosulek, andDavid Evans. 2015. TwoHalvesMake aWhole. In

Annual International Conference on the Theory and Applications of Cryptographic

Techniques (EUROCRYPT ’15). Springer, 220–250.

A DATA-OBLIVIOUS MODEL CHECKING

Our first theorem establishing the correctness of the obcheckCTLalgorithm is that the checking subroutines it employs are data-

oblivious, restated here.

Theorem 3.1. The checkAND, checkNOT, checkEX,obcheckEU, and obcheckAU algorithms are data-oblivious.

For our proofs, we give our most relevant definitions with more

formality than in §2.

DefinitionA.1 (Access Pattern). The access pattern of aRAM =(CPU , MEM ) on input (s, y) is a sequence

AP (s, y) = (a1, . . . , ai , . . .)

such that for every i , the ith message sent byCPU (s ) when interactingwithMEM (y) is of the form (·, ai , ·).

Definition A.2 (Data-Oblivious Program). A program P is

data-oblivious with respect to an input class X , if for any two strings

x1, x2 ∈ X , should |AP (⟨P , x1⟩) | and |AP (⟨P , x2⟩) | be identicallydistributed, then so are AP (⟨P , x1⟩) and AP (⟨P , x2⟩).

Throughout the following argument letM ⊆ {0, 1}∗ be the set

of all binary strings interpretable as a Kripke structureM, and

BitVecn ⊆ {0, 1}∗be the set of all binary strings interpretable as a

bitvector of lengthn. We also proceed (as previously noted) with the

assumptions that reading, writing, and incrementing/decrement-

ing elements of N, array lookups, and evaluation of any specific

arithmetic or propositional formula all take a constant number

of instructions — assumptions valid under careful cryptographic

engineering.

LemmaA.3 (Obliviousness of checkAND, checkNOT, and checkEX).

(1) If P = checkAND and for all x ∈ X we may write x =

⟨M, lψ , rϕ ⟩ forM ∈ M and lψ , rϕ ∈ BitVecn for some

n ∈ N withM .n = n, then P is data-oblivious with respect to

X ; and

(2) if P ∈ {checkNOT, checkEX} and for all x ∈ X we may write

x = ⟨M, rϕ ⟩ forM ∈M and rϕ ∈ BitVecn for some n ∈ NwithM .n = n, then P is data-oblivious with respect to X .

Proof. Let P ∈ {checkAND, checkNOT, checkEX}, and define

four constants c1, c2, c3, c4 ∈ N. If P = checkEX let c1 denote thenumber of instructions issued by CPU to MEM in the inner loop

of P . For any P , let c2 denote the number of instructions issued

in the outer loop, c3 the number of instructions issued managing

the loop, and c4 the number of instructions issued outside the loop

context. Then for P ∈ {checkAND, checkNOT} and all x ∈ X (for

corresponding X ) we may write

|AP (⟨P , x⟩) | = n(c2 + c3) + c4

and when P = checkEX

|AP (⟨P , x⟩) | = n(nc1 + c2 + c3) + c4.

In each case |AP (⟨P , x⟩) | is a deterministic injective function of

n. Therefore for x1, x2 ∈ X , |AP (⟨P , x1⟩) | and |AP (⟨P , x2⟩) | areidentically distributed if and only if x1 and x2 represent (in part)

modelsM1 andM2 respectively such thatM1.n =M2.n. More-

over, for a fixedn by unrolling the loop(s) in P wemay easily see that

the program executes a fixed access pattern. And so, for all n ∈ Nthere exists a sequence AP∗n such that for any x ∈ X representing

(in part) a modelM for whichM .n = n,

Pr[AP (⟨P , x⟩) = AP∗n] = 1.

As such, ifx1, x2 ∈ X are such that |AP (⟨P , x1⟩) | and |AP (⟨P , x2⟩) |are identically distributed, then

Pr[AP (⟨P , x1⟩) = AP∗n] = Pr[AP (⟨P , x2⟩) = AP

∗n] = 1

for some n ∈ N. □

Nextwe argue that obcheckEU and obcheckAU are both data-oblivious.We first prove a helpful lemma.

Lemma A.4. Let P ∈ {obcheckEU, obcheckAU}, t ∈ [1..n] be anarbitrary iteration, and a, a′ ∈ [n] be arbitrary indices. Let I∗(t ) =

⟨i∗(1) , . . . , i∗(t−1)⟩ be the sequence of prior i∗ values. Then,

(1) if a ∈ I∗(t ) then Pr[i∗(t ) = a] = 0; and

(2) if a, a′ < I∗(t ) then Pr[i∗(t ) = a] = Pr[i∗(t ) = a′].

Proof. For (1), since there exists t ′ < t such that i∗(t′) = a,

during iteration t ′ the algorithm set K̂[a] = 1. For the ath iteration

of the first (resp. second) inner loop of Algorithm 3 and Algorithm 5,

b1 = 0 (resp. b ′1= 0), and so i , a (resp. i ′ , a). Since i∗ = i , a or

i∗ = i ′ , a with certainty, Pr[i∗(t ) = a] = 0.

For (2), let u ∈ [n] be such that at the beginning of the tth

iteration of the outer loop,

∑nk=0 R̂[k] − K̂[k] = u. The index α ∈

{a, a′} will be chosen as i∗(t ) if

(i) u > 0, R̂[α] = 1, and for all α ′ , α such that R̂[α ′] = 1 and

K̂[α ′] = 0, idxsπ2 [α] > idxsπ2 [α′]; or

(ii) u ≤ 0 and for all α ′ , α such that K̂[α ′] = 0, idxsπ2 [α] >idxsπ2 [α

′].

For (2.ii), the uniform choice of π2 gives each unvisited index equal

probability of having the greatest idxsπ2 value. Moreover, since by

(1) the probability that i∗(t ) will be a previously visited index is

zero, it follows from the law of total probability that Pr[i∗(t ) = i ′ =α] = 1/(n − t − 1).

For (2.i), a closed form equation for Pr[i∗(t ) = i = α] is complex,

but we can observe that it depends only on Pr[R̂[α] = 1] and if

so whether α has the greatest idxsπ2 value of all unvisited ‘made

ready’ indices. The former is uniformly distributed across all indices

by π1 regardless of model and formula structure, and the latter is

uniformly distributed by the independent π1 and π2. As such, theprobability must be the same for all indices. Then, as before by

(1) and the law of total probability we have Pr[i∗(t ) = i = α] =1/(n − t − 1). □

The oblivious nature of the algorithms then follows quickly from

the prior lemma.

Lemma A.5 (Obliviousness of obcheckEU and obcheckAU). IfP ∈ {obcheckEU, obcheckAU} and for all x ∈ X we may write

x = ⟨M, lψ , rϕ ⟩ for M ∈ M and lψ , rϕ ∈ BitVecn for some

n ∈ N withM .n = n, then P is data-oblivious with respect to X .

Proof. By an identical argument to Lemma A.3 the number of

instructions issued in an execution of P is a deterministic injective

function of n. So, for x1, x2 ∈ X , |AP (⟨P , x1⟩) | and |AP (⟨P , x2⟩) |are identically distributed only if x1 and x2 represent modelsM1

andM2 respectively such thatM1.n =M2.n.Let x1, x2 ∈ X be an arbitrary pair of such inputs. The argument

reduces to showing that for such x1 and x2 their access patterns

are identically distributed. Further, let I∗(n) be as in Lemma A.4. By

loop unrolling, it follows that for a given I∗(n) the access patternof P is fixed. So the argument may be reduced further to showing

that I∗(n) is identically distributed for x1 and x2. But, by Lemma A.4

the choice of i∗(t ) for all t ∈ [1..n] is always uniformly distributed

over all unvisited indices regardless of model structure and prior

choices. It follows that whole sequences are also uniformly — and

so identically — distributed for x1 and x2. □

The proof of Theorem 3.1 now follows immediately from the con-

clusions of these lemmas.

Proof. Apply Lemma A.3 and Lemma A.5. □

Our second theorem establishing the functional correctness and

efficiency of the oblivious checking algorithm is also restated here.

Theorem 3.2. For any Kripke structureM = (S, I , δ , L) and CTLformula ϕ

(1) obcheckCTL (M, ϕ) = 1 if and only ifM |= ϕ; and(2) obcheckCTL (M, ϕ) runs in timeO (mn2) where |M| = O (n2)

and |ϕ | =m.

We will not provide a detailed proof of this theorem, but rather

sketch the proof by arguing (somewhat informally) that certain

invariants between the original checkEU and checkAU subroutines

and their oblivious variants hold. This implies the functional equiv-

alence of the obcheckCTL algorithm to checkCTL, at which point

Theorem 2.1 and the additiveO (n) cost of permutations completes

the argument.

Proof Sketch. As the differences between obcheckCTL and

checkCTL lie exclusively within obcheckEU and obcheckAU, we

argue these subroutines are functionally equivalent to their non-

oblivious variants and retain complexity O (n2). The complexity

follows immediately for both subroutines due to their nested loop

structure with both inner and outer iterating over [M .n].As for functional equivalence, the core of the argument is that

(i) we process all states ‘made ready’ before any others; that (ii) we

process those states in an order consistent with the use of R in the

original algorithms; that (iii) while processing ‘made ready’ states

under identical selection we, as compared to the original algorithms,

update R̂ to be identical to o, R̂ − K̂ to be an exact representation of

inclusion into R, and K̂ to be an exact representation of inclusion

into K . That all processing done on states not ‘made ready’ in

the oblivious algorithm does not modify R̂ then establishes the

equivalency. Once we have shown that obcheckCTL runs in time

O (mn2) and is functionally equivalent to checkCTL, Theorem 2.1

completes a proof. □